With all the readily available news, it’s important that we never advocate spreading undue concerns or raising anxiety with no justification. But, given the unprecedented rise in hacking and phishing attempts globally in 2018, we feel compelled to draw as much attention as possible to good business practices.
Many of you will have received emails prompting you to click links, sign in here and send money, etc., and you are no doubt always vigilant. However, people will continue to get “caught out” and these risks will increase over the coming months/years.
As an IT company, from a technology perspective we are continuously improving our offerings, and doing what we can to keep our networks secure. Multi-factor Authentication and Identity Protection Services are just two examples which are available and we are of course actively encouraging uptake of these.
As important as the technology, however, are the processes which govern their use (or should). It’s vitally important we all work regularly on our own internal processes to control the flow of data within our businesses.
How can I spot these bad practices?
Some very specific examples where we have seen (what we would perceive as) a lack of validation and controls might be:
- In-depth phone conversations (and email) with individuals imitating genuine employees, suppliers or customers
- Large payments made to bank accounts without enough verification as to the destination
- Attempts to change to details held on record pertaining to individuals working for a company
- Very few checks in place prior to agreeing to change bank account details and sending funds elsewhere
- No multiple signoffs for large BACS payments, either verbal or written
These are just some examples where we need to evaluate, with surgical precision, who is allowed to do what within our businesses, where our liabilities lie, and how we double and triple check absolutely anything which potentially has a big risk attached.
As an example of progress, banks are stepping up efforts to provide more secure platforms and verification which is evident all around us. However there will never be enough, and the battle against fraudsters will be eternal. The fact you can still send funds to anywhere, with nothing more than a few numbers, and not even a company name that matches speaks volumes.
The time will come when we will be unable to blame the systems for not protecting us, and more good old-fashioned checklists might just have to make a comeback.